[tor-project] [INFORMATION REQUEST] Onion Service Web Site Deployments

Matthew Finkel sysrqb at torproject.org
Tue Jul 21 23:17:40 UTC 2020

On Tue, Jul 21, 2020 at 07:52:41PM +0200, Sebastian Hahn wrote:
> > On 21. Jul 2020, at 05:58, Matthew Finkel <sysrqb at torproject.org> wrote:
> > On Tue, Jul 21, 2020 at 01:47:40AM +0200, Sebastian Hahn wrote:
> >> 
> >> If there were some sensible way to have https which terminates at their
> >> end while they don't have to operate a hidden service, I am pretty sure
> >> we could work something out and I would obviously go for it.
> > 
> > I like Ian's example, if that is an option. I see that nginx supports
> > something similar, too. I can imagine a hacky socat solution, too (but a
> > reverse proxy is less of a ducktape-and-chewing-gum design).
> I also like Ian's suggestion, but it is not a fix. There's no end to end
> https between browser and webserver, users still need to trust me to not
> modify traffic. It only gets rid of the transport issue (which I don't
> worry about too much in this instance, tbh).

Yes, the "onion service-in-the-middle" design requires that someone
trust the onion service operator (either the client or the website

In the future, maybe the website can use a SOOC [0] (TLS certificate)
with a binding for your onion service. If not, then solving this problem
will be difficult without the admin deploying their own onion service
and/or using a DV cert containing the .onion address.

[0] https://github.com/alecmuffett/onion-dv-certificate-proposal/blob/master/text/draft-muffett-same-origin-onion-certificates.txt

More information about the tor-project mailing list